Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14OTVoLTk3OXgtY2Yzas0Wmg

Policies not properly enforced in bluemonday

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

Permalink: https://github.com/advisories/GHSA-x95h-979x-cf3j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OTVoLTk3OXgtY2Yzas0Wmg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 3 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00551
EPSS Percentile: 0.77344

Identifiers: GHSA-x95h-979x-cf3j, CVE-2021-42576
References:

Repository: https://github.com/microcosm-cc/bluemonday
Blast Radius: 59.3

Affected Packages

go:github.com/microcosm-cc/bluemonday

Dependent packages: 3,600
Dependent repositories: 15,065
Downloads:
Affected Version Ranges: < 1.0.16
Fixed in: 1.0.16
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15
All unaffected versions: 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27

pypi:pybluemonday

Dependent packages: 0
Dependent repositories: 74
Downloads: 20,291 last month
Affected Version Ranges: < 0.0.8
Fixed in: 0.0.8
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7
All unaffected versions: 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14